piyoki/actions_blacklist-update.conf

## readme.md

      
    Raw
  

              readme.md
            
          
    OPNsense Custom Script and Cron

Introduction

Solution to update unbound blacklist and whitelist
I have a service which provide my own blacklist of ip.

I want to grab the blacklist of ip each minute and automatically drop all connection from it under OPNsense.

I have already spamhaus installed (with their alias).
To solve it, I need :

an alias to make firewall rules
a script to download my blacklist
a new cron command available under OPNsense GUI
a cron job

Script to update blacklist


Create script in /usr/local/etc/unbound/blacklist-update.sh (or where you want) : vi /usr/local/etc/unbound/blacklist-update.sh
Add the content of the according file below
Set permissions chmod 0700 blacklist-update.sh

Script to update whitelist


Create script in /usr/local/etc/unbound/whitelist-update.sh (or where you want) : vi /usr/local/etc/unbound/whitelist-update.sh
Add the content of the according file below
Set permissions chmod 0700 whitelist-update.sh

Add a new cron command available under OPNsense GUI

Create a .conf file in /usr/local/opnsense/service/conf/actions.d/ (your file must start with "actions_")

vi /usr/local/opnsense/service/conf/actions.d/actions_blacklist-update.conf

Add the content of the according file below
Restart and reload :

configctl  reload : action must be the filename without the prefix "actions_"

service configd restart
configctl blacklist-update reload

a cron job

Go to System > Settings > Cron and add a Job

You can show your cron command in dropdown Command

Plan your cron as like as you want...

  
## actions_blacklist-update.conf
[reload]
command:/bin/sh /usr/local/etc/unbound/blacklist-update.sh
parameter:
type:script_output
message: Unbound Blacklist Update
description: Centralized Blacklist Update for Unbound DNS Service

## actions_whitelist-update.conf
[reload]
command:/bin/sh /usr/local/etc/unbound/whitelist-update.sh
parameter:
type:script_output
message: Unbound Whitelist Update
description: Centralized Whitelist Update for Unbound DNS Service

## blacklist-update.sh
#!/bin/sh
# 下载文件
curl -L -o blacklist_full.conf https://raw.githubusercontent.com/hezhijie0327/GFWList2AGH/main/gfwlist2unbound/blacklist_full.conf
# 检查文件是否下载成功
#if [ $? -ne 0 ]; then
#    echo "下载文件失败，请检查网络连接或文件地址是否正确。"
#    exit 1
#fi
# 替换内容
sed -i '' -e 's/\x20\x20\x20\x20forward-first: "yes"//g' \
          -e 's/\x20\x20\x20\x20forward-no-cache: "yes"//g' \
          -e 's/\x20\x20\x20\x20forward-ssl-upstream: "yes"//g' \
          -e 's/8.8.8.8@853#dns.google/208.67.222.222@853/g' \
          blacklist_full.conf
# 检查文件是否替换成功
if [ $? -ne 0 ]; then
    echo "替换文件内容失败，请检查文件是否存在或是否有权限修改。"
    exit 2
fi
# 重命名并移动文件
mv blacklist_full.conf /usr/local/etc/unbound.opnsense.d/z.conf
# 重启unbound
/usr/local/sbin/pluginctl dns restart
# 检查服务是否重启成功
if [ $? -ne 0 ]; then
    echo "重启unbound服务失败，请检查服务是否存在或是否有权限重启。"
    exit 3
fi

## whitelist-update.sh
#!/bin/sh
# 下载文件
curl -L -o whitelist_full.conf https://raw.githubusercontent.com/hezhijie0327/GFWList2AGH/main/gfwlist2unbound/whitelist_full.conf
# 检查文件是否下载成功
if [ $? -ne 0 ]; then
    echo "下载文件失败，请检查网络连接或文件地址是否正确。"
    exit 1
fi
# 替换内容
sed -i '' -e 's/\x20\x20\x20\x20forward-first: "yes"//g' \
          -e 's/\x20\x20\x20\x20forward-no-cache: "yes"//g' \
          -e 's/\x20\x20\x20\x20forward-ssl-upstream: "yes"//g' \
          -e 's/223.5.5.5@853#dns.alidns.com/223.5.5.5@853/g' \
          whitelist_full.conf
# 检查文件是否替换成功
if [ $? -ne 0 ]; then
    echo "替换文件内容失败，请检查文件是否存在或是否有权限修改。"
    exit 2
fi
# 重命名并移动文件
mv whitelist_full.conf /usr/local/etc/unbound.opnsense.d/w.conf
# 重启unbound
/usr/local/sbin/pluginctl dns restart
# 检查服务是否重启成功
if [ $? -ne 0 ]; then
    echo "重启unbound服务失败，请检查服务是否存在或是否有权限重启。"
    exit 3
fi
	[reload]
	command:/bin/sh /usr/local/etc/unbound/blacklist-update.sh
	parameter:
	type:script_output
	message: Unbound Blacklist Update
	description: Centralized Blacklist Update for Unbound DNS Service
	[reload]
	command:/bin/sh /usr/local/etc/unbound/whitelist-update.sh
	parameter:
	type:script_output
	message: Unbound Whitelist Update
	description: Centralized Whitelist Update for Unbound DNS Service
	#!/bin/sh
	# 下载文件
	curl -L -o blacklist_full.conf https://raw.githubusercontent.com/hezhijie0327/GFWList2AGH/main/gfwlist2unbound/blacklist_full.conf
	# 检查文件是否下载成功
	#if [ $? -ne 0 ]; then
	# echo "下载文件失败，请检查网络连接或文件地址是否正确。"
	# exit 1
	#fi
	# 替换内容
	sed -i '' -e 's/\x20\x20\x20\x20forward-first: "yes"//g' \
	-e 's/\x20\x20\x20\x20forward-no-cache: "yes"//g' \
	-e 's/\x20\x20\x20\x20forward-ssl-upstream: "yes"//g' \
	-e 's/8.8.8.8@853#dns.google/208.67.222.222@853/g' \
	blacklist_full.conf
	# 检查文件是否替换成功
	if [ $? -ne 0 ]; then
	echo "替换文件内容失败，请检查文件是否存在或是否有权限修改。"
	exit 2
	fi
	# 重命名并移动文件
	mv blacklist_full.conf /usr/local/etc/unbound.opnsense.d/z.conf
	# 重启unbound
	/usr/local/sbin/pluginctl dns restart
	# 检查服务是否重启成功
	if [ $? -ne 0 ]; then
	echo "重启unbound服务失败，请检查服务是否存在或是否有权限重启。"
	exit 3
	fi
	#!/bin/sh
	# 下载文件
	curl -L -o whitelist_full.conf https://raw.githubusercontent.com/hezhijie0327/GFWList2AGH/main/gfwlist2unbound/whitelist_full.conf
	# 检查文件是否下载成功
	if [ $? -ne 0 ]; then
	echo "下载文件失败，请检查网络连接或文件地址是否正确。"
	exit 1
	fi
	# 替换内容
	sed -i '' -e 's/\x20\x20\x20\x20forward-first: "yes"//g' \
	-e 's/\x20\x20\x20\x20forward-no-cache: "yes"//g' \
	-e 's/\x20\x20\x20\x20forward-ssl-upstream: "yes"//g' \
	-e 's/223.5.5.5@853#dns.alidns.com/223.5.5.5@853/g' \
	whitelist_full.conf
	# 检查文件是否替换成功
	if [ $? -ne 0 ]; then
	echo "替换文件内容失败，请检查文件是否存在或是否有权限修改。"
	exit 2
	fi
	# 重命名并移动文件
	mv whitelist_full.conf /usr/local/etc/unbound.opnsense.d/w.conf
	# 重启unbound
	/usr/local/sbin/pluginctl dns restart
	# 检查服务是否重启成功
	if [ $? -ne 0 ]; then
	echo "重启unbound服务失败，请检查服务是否存在或是否有权限重启。"
	exit 3
	fi